Commit Graph

13949 Commits

Author SHA1 Message Date
Fraser Tweedale
d7f3a0b2d3 ra.get_certificate: use REST API
Update ra.get_certificate to use the Dogtag REST API.  This change
is being done as part of the Dogtag GSS-API authentication effort
because the servlet-based method expects an internal Dogtag user.
It is less intrusive to just change FreeIPA to call the REST API
instead (which is also part of an existing ticket).

Depends on https://pagure.io/dogtagpki/issue/2601 (which was merged
and released long ago).

Part of: https://pagure.io/freeipa/issue/3473
Part of: https://pagure.io/freeipa/issue/5011

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-30 16:18:21 +02:00
Fraser Tweedale
0c0061babd extract virtual operation access check subroutine
Outside of virtual commands themselves there is no way to evaluate
access to perform a virtual operation.  Such a capability will be
needed for Dogtag-based certificate request validation using
Kerberos proxy credentials.

Add the 'check_operation_access' method for explicit virtual
operation access checks.  Refactor 'VirtualCommand.check_access()'
to use it.

Part of: https://pagure.io/freeipa/issue/5011
Part of: https://pagure.io/freeipa/issue/6423

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-30 11:47:29 +02:00
Anuja More
d39786c051 ipatests: xfail test with older versions of sssd
Related to: https://pagure.io/SSSD/sssd/issue/4173

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun@redhat.com>
2020-06-30 09:09:13 +02:00
Anuja More
0cb0056fd6 ipatests: Test that trusted AD users should not lose their AD domains.
When AD user is added customized idview and UID, GID
is overriden. Then SSSD should not fail to retrieve
AD domain details.

Related: https://pagure.io/SSSD/sssd/issue/4173

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun@redhat.com>
2020-06-30 09:09:13 +02:00
Fraser Tweedale
c7766ebb94 Define errors_by_code in ipalib.errors
The errors_by_code mapping could be used in more places.  In
particular it will be useful in the Dogtag GSS-API authentication
effort.  Move to ipalib.errors.

Part of: https://pagure.io/freeipa/issue/5011

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-29 12:03:16 +10:00
Armando Neto
cc624fb178 ipatests: bump prci templates
Remove all freeipa-* packages from template:
bdd98c3b9d

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-06-26 16:47:54 -03:00
François Cami
73c02f635d ipatests: ipa_epn: uninstall/reinstall ipa-client-epn
Due to https://github.com/freeipa/freeipa-pr-ci/issues/378
the installed version of freeipa-client-epn is not the built
one. Temporarily force uninstall/reinstall of this package
before running the test.

Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-25 15:20:21 +02:00
François Cami
0d4f022b3b ipatests: check that EPN's configuration file is installed.
Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-25 15:20:21 +02:00
François Cami
1d7aeaebb2 man pages: fix epn.conf.5 and ipa-epn.1 formatting
Fix formatting issues found with mandoc.

Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-25 15:20:21 +02:00
François Cami
6efe991797 EPN: ship the configuration file.
Ship and install /etc/ipa/epn.conf.
Minor fixes to the associated man page.

Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-25 15:20:21 +02:00
Alexander Bokovoy
1f6ca418ee handle Y2038 in timestamp to datetime conversions
According to datetime.utcfromtimestamp() method documentation[1],
this and similar methods fail for dates past 2038 and can be replaced by
the following expression on the POSIX compliant systems:

  datetime(1970, 1, 1, tzinfo=timezone.utc) + timedelta(seconds=timestamp)

Make sure to use a method that at least allows to import the timestamps
properly to datetime objects on 32-bit platforms.

[1] https://docs.python.org/3/library/datetime.html#datetime.datetime.utcfromtimestamp

Fixes: https://pagure.io/freeipa/issue/8378

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-25 09:18:02 +03:00
Florence Blanc-Renaud
a3c648bd92 ipatests: fix the method adding ifp to sssd.conf
The test TestCertsInIDOverrides enables the ifp service in
sssd.conf by a sed command. If the service is already enabled,
the ifp service appears multiple times in the section
[sssd]
services = ..ifp...ifp
and sssd fails to start.

Use tasks.remote_sssd_config to properly configure the
services as this API properly handles the case when the
service is already configured.

Fixes: https://pagure.io/freeipa/issue/8371
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-24 17:22:24 -04:00
Florence Blanc-Renaud
dc11b98e4a Unify spelling of "One-Time Password" (take 2)
The previous fix for the spelling of "One-Time Password"
missed a few lines.

Fixes: https://pagure.io/freeipa/issue/8381
Related: https://pagure.io/freeipa/issue/5628
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-06-24 14:55:27 +02:00
Christian Heimes
1144da5d94 RHEL 8.3 has KRB5 1.18 with KDB 8.0
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-24 13:49:14 +02:00
sumenon
f1b2d7b6fc Modified YAML to include healthcheck AD tests
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-24 10:23:26 +02:00
sumenon
769c87f5e7 ipatests: Tests to check ipahealthcheck tool with IPA-AD trust scenario
Tests for below checks are included
IPATrustDomainsCheck
IPATrustControllerConfCheck
IPAsidgenpluginCheck
IPATrustControllerServiceCheck
IPATrustAgentMemberCheck
IPATrustCatalogCheck

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-24 10:23:26 +02:00
Florence Blanc-Renaud
511f5194dc client install: fix broken sshd config
If ipa client was installed with openssh-server >= 8.2, the
configuration parameters for sshd were put in /etc/ssh/sshd_config
instead of in a snippet in /etc/ssh/sshd_config.d.
Upgrade to this new ipa version fixes the sshd conf by
moving the params to the snippet.

Related: https://pagure.io/freeipa/issue/8304
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-23 11:11:46 +02:00
Florence Blanc-Renaud
3cf9979aec ipa-client-install: use sshd drop-in configuration
sshd 8.2+ now supports the "Include" keyword in sshd_config and
ships by default /etc/ssh/sshd_config with
"Include /etc/ssh/sshd_config.d/*"

As fedora 32 provides a config file in that directory (05-redhat.conf) with
ChallengeResponseAuthentication no
that is conflicting with IPA client config, ipa-client-install now needs
to make its config changes in a drop-in file read before 05-redhat.conf
(the files are read in lexicographic order and the first setting wins).

There is no need to handle upgrades from sshd < 8.2: if openssh-server
detects a customisation in /etc/ssh/sshd_config, it will not update
the file but create /etc/ssh/sshd_config.rpmnew and ask the admin
to manually handle the config upgrade.

Fixes: https://pagure.io/freeipa/issue/8304
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-23 11:11:46 +02:00
François Cami
c5e6fe057c ipatests: increase test_caless_TestReplicaInstall timeout
test_caless_TestReplicaInstall timeout seems too short.
Extend it.

Fixes: https://pagure.io/freeipa/issue/8377
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-06-23 10:38:24 +02:00
Christian Heimes
3ec1b77f6a Terminology improvements: use block list
Some places have to use the old name because it's part of the stable API
or stable LDAP attributes.

See: https://tools.ietf.org/id/draft-knodel-terminology-01.html
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-23 10:16:29 +02:00
Christian Heimes
3ce816ba77 Terminology improvements: use allow list
See: https://tools.ietf.org/id/draft-knodel-terminology-01.html
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-23 10:16:29 +02:00
Christian Heimes
5c09dcdb98 Grammar: whitespace is a word
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-23 10:16:29 +02:00
Christian Heimes
523f70ae46 Terminology improvements: CA renewal
The term "CA renewal master" is a fixed term in FreeIPA and cannot
easily be replaced with an alternative term. At least we should use the
term consistently.

See: https://tools.ietf.org/id/draft-knodel-terminology-01.html
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-23 10:16:29 +02:00
Peter Keresztes Schmidt
ea5c0a1f7c Unify spelling of "One-Time Password"
Spelling is in accordance with the HOTP
RFC 4226 and TOTP RFC 6238.

Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-06-23 10:11:09 +02:00
Peter Keresztes Schmidt
d63a91da4b WebUI: reword OTP info message displayed during PW reset
The message displayed before is now limited to the OTP
sync form, for which it was written originally.
A new message is introduced for the PW reset form,
which clarifies the usage of the OTP field.

Fixes: https://pagure.io/freeipa/issue/5628
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-06-23 10:11:09 +02:00
Peter Keresztes Schmidt
13b177822e WebUI: move OTP to be the last field in the PW reset form
Since TOTPs have a limited validity, let the user enter
them as the last item in the form.
This reduces the chance of the TOTP getting invalid while
the user is still filling out other fields.

Related: https://pagure.io/freeipa/issue/5628
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-06-23 10:11:09 +02:00
Alexander Scheel
3ecea7800a Configure PKI AJP Secret with 256-bit secret
By default, PKI's AJP secret is generated as a 75-bit password. By
generating it in IPA, we can guarantee the strength of the AJP secret.
It makes sense to use a stronger AJP secret because it typically
isn't rotated; access to AJP allows an attacker to impersonate an admin
while talking to PKI.

Fixes: https://pagure.io/freeipa/issue/8372
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849146
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1845447
Related: https://github.com/dogtagpki/pki/pull/437

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-23 09:20:24 +02:00
Alexander Scheel
c5e9bd61d6 Clarify AJP connector creation process
We do two things:

 1. Fix the xpath for AJP connector verification. An AJP connector is
    one which has protocol="AJP/1.3", NOT one that has port="8009". An
    AJP connector can exist on any port and port 8009 can have any
    protocol. Secrets only make sense on AJP connectors, so make the
    xpath match the existing comment.

 2. Add some background in-line documentation about AJP secret
    provisioning. This should help future developers understand why this
    was added to IPA and what limitations there are in what PKI or IPA
    can do. Most notably, explain why Dogtag can't upgrade the AJP
    connector to have a secret in the general case.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-23 09:20:24 +02:00
Fraser Tweedale
68ada5f204 fix iPAddress cert issuance for >1 host/service
The 'cert_request' command accumulates DNS names from the CSR,
before checking that all IP addresses in the CSR are reachable from
those DNS names.  Before adding a DNS name to the set, we check that
that it corresponds to the FQDN of a known host/service principal
(including principal aliases).  When a DNS name maps to a
"alternative" principal (i.e.  not the one given via the 'principal'
argument), this check was not being performed correctly.
Specifically, we were looking for the 'krbprincipalname' field on
the RPC response object directly, instead of its 'result' field.

To resolve the issue, dereference the RPC response to its 'result'
field before invoking the '_dns_name_matches_principal' subroutine.

Fixes: https://pagure.io/freeipa/issue/8368
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-23 10:22:38 +10:00
Serhii Tsymbaliuk
c2ba333b96
WebUI: Fix "IPA Error 3007: RequirmentError" while adding idoverrideuser association
Add builder for association adder dialog which allows to override behavior of the component.
Replace default implementation with a custom one for idoverrideuser.
Replace text filter with 'ID view' select box in the idoverrideuser dialog.

Ticket: https://pagure.io/freeipa/issue/8335

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-22 09:31:34 +02:00
Christian Heimes
6e3346f0a7 Use old uglifyjs on RHEL 8
RHEL 8 buildroot does not have python3-rjsmin yet. Fall back to
uglifyjs.

See: https://pagure.io/freeipa/issue/8300
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-19 08:40:15 +02:00
François Cami
533ec75494 .mailmap: add fcami
Add myself to .mailmap.

Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-17 15:40:47 -04:00
Christian Heimes
5a3b5f3aff Build ipa-selinux package on RHEL 8
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-06-17 13:38:59 +02:00
Armando Neto
04ce1a415b ipatests: bump prci templates
New images were necessary to include updated `selinux-policy` package.

Rawhide image based on `Fedora-Rawhide-20200607.n.0` compose.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-06-17 08:03:17 +02:00
Petr Vobornik
3912e8e673 baseuser: fix ipanthomedirectorydrive option name
It should be ipanthomedirectorydrive and not ipanthomedirectoryrive.

This fixes showing the field in Web UI and also should fix CLI as it
probably never worked.

Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-16 19:06:02 -04:00
Fraser Tweedale
19544d53ae fix cert-find errors in CA-less deployment
Under some search conditions (in particular, when user is
specified), the CA sub-search of cert-find command throws an error
on CA-less deployments.  Do not execute the CA sub-search on CA-less
deployments.

Fixes: https://pagure.io/freeipa/issue/8369
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-16 15:37:08 -04:00
Petr Vobornik
f6707a71dc webui: hide user attributes for SMB services section if empty
This section should be hidded if user object hasn't ipantuserattrs
object class. I.e. when trusts are not enabled.

Web UI framework already supports hidding of sections if the
section contains no visible field. So to achieve it we simply needs
to hide the fields. Given that attributelevelrights
contains rights only for attributes of current object classes, all
of these are regarded as not writable.

We can leverage feature of input_widget that it gets hidden
when the attribute is not writable and has no value and widget's
"hidden_if_empty" is set to true. Thus doing it here.

For this to work, it is also required to fix an issue with
"ipanthomedirectorydrive" which is optional (in API) but Web UI
doesn't offer "empty" ("") value. Adding it here.

fixes: https://pagure.io/freeipa/issue/8336

Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2020-06-16 11:39:55 +03:00
Christian Heimes
4911a3f055 Prevent local account takeover
It was found that if an account was created with a name corresponding to
an account local to a system, such as 'root', was created via IPA, such
account could access any enrolled machine with that account, and the local
system privileges. This also bypass the absence of explicit HBAC rules.

root principal alias
-------------------

The principal "root@REALM" is now a Kerberos principal alias for
"admin". This prevent user with "User Administrator" role or
"System: Add User" privilege to create an account with "root" principal
name.

Modified user permissions
-------------------------

Several user permissions no longer apply to admin users and filter on
posixaccount object class. This prevents user managers from modifying admin
acounts.

- System: Manage User Certificates
- System: Manage User Principals
- System: Manage User SSH Public Keys
- System: Modify Users
- System: Remove Users
- System: Unlock user

``System: Unlock User`` is restricted because the permission also allow a
user manager to lock an admin account. ``System: Modify Users`` is restricted
to prevent user managers from changing login shell or notification channels
(mail, mobile) of admin accounts.

New user permission
-------------------

- System: Change Admin User password

The new permission allows manipulation of admin user password fields. By
default only the ``PassSync Service`` privilege is allowed to modify
admin user password fields.

Modified group permissions
--------------------------

Group permissions are now restricted as well. Group admins can no longer
modify the admins group and are limited to groups with object class
``ipausergroup``.

- System: Modify Groups
- System: Remove Groups

The permission ``System: Modify Group Membership`` was already limited.

Notes
-----

Admin users are mostly unaffected by the new restrictions, except for
the fact that admins can no longer change krbPrincipalAlias of another
admin or manipulate password fields directly. Commands like ``ipa passwd
otheradmin`` still work, though. The ACI ``Admin can manage any entry``
allows admins to modify other entries and most attributes.

Managed permissions don't install ``obj.permission_filter_objectclasses``
when ``ipapermtargetfilter`` is set. Group and user objects now have a
``permission_filter_objectclasses_string`` attribute that is used
by new target filters.

Misc changes
------------

Also add new exception AlreadyContainsValueError. BaseLDAPAddAttribute
was raising a generic base class for LDAP execution errors.

Fixes: https://pagure.io/freeipa/issue/8326
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1810160
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-06-15 22:44:42 +03:00
Mohammad Rizwan
32a5359ece Xfail test for sssd < 2.3.0
This fix is available in sssd 2.3.0+. On older version
test will fail. Hence added xfail.

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-06-15 14:22:56 +02:00
Mohammad Rizwan
e33ffab534 ipatests: Test ipa user login with wrong password
When ipa user login to machine using wrong password, it
should log proper message in /var/log/secure

related: SSSD/sssd#5139

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-06-15 14:22:56 +02:00
Florence Blanc-Renaud
c358f8dbb5 ipatests: Update the pki-master-f32 image version
There is a new Vagrant image for pki-master-f32, that contains
jss 4.7.0-0 instead of jss 4.7.0-1.
This change is required because the copr repo @pki/master initially
provided 4.7.0-1 but went backwards in the version number, and
critical fixes are available in 4.7.0-0.

Without this change, the vagrant image is using 4.7.0-1 and tries to
update (not downgrade), hence does not install the most recent version
with the fixes.

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-06-15 14:13:55 +02:00
Florence Blanc-Renaud
98c1017caa ipatests: add a test for ipa-replica-install --setup-ca --http-cert-file
The options *-cert-file are used for a CA-less replica installation and
are mutually exclusive with --setup-ca.
Add a test for this use case.

Related: https://pagure.io/freeipa/issue/8366
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-12 08:34:51 +02:00
Florence Blanc-Renaud
51cb631db3 ipa-replica-install: --setup-ca and *-cert-file are mutually exclusive
ipa-replica-install currently accepts both --setup-ca and *-cert-file
even though the options should be mutually exclusive (either install
CA-less with *-cert-file options or with a CA).

Add a check enforcing the options are mutually exclusive.

Fixes: https://pagure.io/freeipa/issue/8366
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-12 08:34:51 +02:00
Christian Heimes
a18d406b56 Move ipa-epn systemd files and run RPM hooks
The init/systemd directory is for server only and not part of
CLIENT_ONLY builds.

It's necesary to run pre/post installation hooks to make systemd aware
of new files.

Fixes: https://pagure.io/freeipa/issue/8367
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-06-11 17:27:31 +02:00
Florence Blanc-Renaud
1487665779 ipatests: fix the disable_dnssec_validation method
Bind configuration now includes 2 snippet config files, in
/etc/named/ipa-ext.conf and /etc/named/ipa-options-ext.conf

When a test needs to disable dnssec-validation, it needs to edit
the snippet ipa-options-ext.conf instead of /etc/named.conf.

This commit fixes the method tasks.disable_dnssec_validation so that it
correctly updates the snippet.

Fixes: https://pagure.io/freeipa/issue/8364
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-06-11 10:33:33 +02:00
Alexander Bokovoy
296ddcd32c update list of contributors
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-10 22:28:56 +03:00
Alexander Bokovoy
81f7863b3f Update translation files
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-10 22:27:31 +03:00
Rob Crittenden
ba7974bfd1 IPA-EPN: Don't treat givenname differently
This was returning givenname as a list and not as a single
string which messed up the templating.

https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-06-10 11:22:58 -04:00
Rob Crittenden
cb205cc5e4 IPA-EPN: add test to validate smtp_delay value
Configuration test to ensure that smtp_delay validation is
properly enforced.

Also reset the epn configuration when the tests are run.

https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-06-10 11:22:58 -04:00
Rob Crittenden
3b266d3957 IPA-EPN: add smtp_delay to limit the velocity of e-mails sent
Provide a knob so the mail queue doesn't get completely flooded
with new e-mails.

Default to no wait, value in milliseconds.

https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-06-10 11:22:58 -04:00